Support multiple U2F keys

From GitHub: Multiple U2F key support · Issue #65 · bitwarden/server · GitHub

A typical U2F user workflow is to have at least two keys, one for daily use, another as backup.
As of now it seems that we can only register one U2F key at a time.

It might be very useful to be able to register/manage/unregister multiple keys.

Many website supporting U2F provides this (google, facebook, github, gitlab,… )

I would add that there should not be an artificial limit on the number of U2F keys allowed. I’d like to be able to leave keys in all my PCs in different locations, plus a backup or two.

2 Likes

Currently, as we can only register 1 U2F key as a second factor authentification, if one was to lose that key, he would lose access to the service and all password.

This force users which want a backup plan to enable other second factor authenfication in case the main one - u2f is lost. However most other second factor reduce the security of the account. If a hardware token if the most secure form, having to enable a second method like email or authentificator app only server to weaken the overall security of the account because now you also need to protect your email account or computer/mobile running the authentificator app.
being able to register only u2f keys keep the security to the top and allow a backup plan in case the main key is lost.

2 Likes

This is a very needed feature indeed.

Having 2 U2F keys is almost mandatory, (see google with their advance protection system).
Since you must make a choice between the risk of losing the key and losing access to all accounts, or having a weaker “backup” way of connection back to your account.

And by the way, thank you for the wonderful work !

1 Like

That’s not entirely true actually. There is a two-step login recovery code for when you lose your U2F key (or any other second factor).

Still I would also appreciate it if it would be possible to add more than one U2F key. Yubico OTP is great but it looks like U2F will be the future at least in browser and mobile space.

2 Likes

Any update on this? This is the one feature I need to make the switch.

I need this too :slight_smile:

This is a very important feature for me as I have several U2F keys, each of which I use regularly on multiple computers. Having to register one key as U2F and the rest as Yubico or TOTP is both inconvenient and insecure.

I’m switching my family and business to bitwarden partly to get away from OTP and use U2F more. I’d prefer we could use a second U2F device as a backup instead of going back to OTP options.

I have been waiting and it doesn’t seem to be happening, is there a technical reason for this to be difficult to implemented?

Laptops like the Pixelbook and Macbooks are starting to build-in U2F devices into the hardware. This will lead to everyone needing this in the coming years/months.

I signed up to the forum just to add my support to this request. I have a Yubikey U2F device that is always plugged into my laptop. I also use the U2F app on my Ledger Nano S, which is backed up via the device seed.

On most of my U2F accounts, I use the Yubikey device for everyday logins, then I have the Ledger device registered too, so I will always be able to recover my accounts even in dire circumstances where every device I own fails/is stolen (because the Ledger’s key is derived from the seed which i have stored safely).

Because you only allow registration of one device, I have to use the Ledger as my primary key with Bitwarden, which can be a bit of a pain. Multiple keys would be greatly appreciated!

1 Like

I recently purchased two U2F Yubikeys for the purpose of password management.

I left Lastpass because they only support OTP Yubikeys. I migrated to Dashlane because they support U2F Yubikeys but then discovered they force you to enable a less secure authentication in case you lose your keys. So you could imagine my excitement after hearing that Bitwarden not only supported U2F but they also didn’t force less secure authentication as backup. I eagerly paid for premium membership only to be severely disappointed. As far as I’m concerned, offering U2F is fairly pointless if it’s restricted to a single key and announcing it as a feature was a big tease.

So just want to express my support for this feature. And please consider that there is likely a sudden surge of demand for this feature if my personal experience is anything to go by. The only reason I finally took the plunge with Yubikey is after all the recent media attention around Google, how it stopped their employees getting phished and the news of the upcoming Titan keys.

1 Like

Taking into account standard U2F’s user behavior, I wouldn’t call U2F support as completed before adding support for multiple keys.

I would say that U2F support is Bitwarden’s competitive advantage over LastPass or Dashlane.

Isn’t this already implemented ? @kspearrin

I just checked and it still only allows one, unless I missed the option if placed somewhere obscure. You got me excited for nothing.

It supports multiple Yubico keys using their auth service. Unfortunately, this isn’t related to U2F.

I didn’t see any changes in this area in last few months. Just few fixes in core lib around U2F.

You’re right, sorry. You can add multiple Yubikeys but not multiple U2F keys.

I think this is the only thing holding me back from a premium, also the google u2f keys are now for sell to public. https://store.google.com/product/titan_security_key_kit
+1 for requesting support on this.

I also want to add support for this as well. I personally have 3 U2F keys that I would need setup in mine